Presentation: Secure Programming with Static Analysis

Creating secure code is a hard thing to do. The number of things to get right is almost endless and the price for not succeeding can be extremely high.

In this talk, Brian Chess explains how static source code analysis can help finding the kinds of errors that leads to vulnerabilities and exploits. Highlights from the talk include:

The most common security shortcuts and why they lead to security failures

Why programmers are in the best position to get security right

Where to look for security problems

How static analysis helps

The critical attributes and algorithms that make or break a static analysis tool

How static analysis works and how to integrate it into the software development processes and security code reviews.

Along the way, Brian shows examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.